Fast and secure key distribution using mesoscopic coherent states of light. 
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This work shows how two parties A and B can securely share sequences of random bits at optical 
speeds. A and B possess true-random physical sources and exchange random bits by using a random 
sequence received to cipher the following one to be sent. A starting shared secret key is used and 
the method can be described as an unlimited one-time-pad extender. It is demonstrated that the 
minimum probability of error in signal determination by the eavesdropper can be set arbitrarily 
close to the pure guessing level. Being based on the Af-ry encryption protocol this method also 
allows for optical amplification without security degradation, offering practical advantages over the 
BB84 protocol for key distribution. 



INTRODUCTION 

Physical cryptography can create schemes providing 
two users, at distinct locations, with on-demand copies of 
a secure sequence of random bits of arbitrary length and 
at fast rates. These schemes could be of high value for 
commercial systems operating over long distances. Based 
on physical laws instead of mathematical complexities, 
communication with perfect secrecy could be guaranteed 
over an insecure channel in Vernam's sense of a one-time- 
pad. Technology advances, therefore, such as enhanced 
computational power, should not affect the security of 
these schemes. The BB84 quantum protocol for key dis- 
tribution the paradigm among protocols of this type, 
has been used in short distance applications |3| but not 
in long distance networks. One fundamental reason is 
that the same no-cloning theorem that guarantees its se- 
curity level prohibits the signal amplification necessary in 
long-haul communication links. No practical alternative 
quantum scheme using quantum repeaters or entangled 
states hasyet been proposed although theoretical stud- 
ies exist Other practical impediments are the slow 
speed of the photon sources and the large recovery time 
of single photon detectors. 

Recently, Yuen proposed a ciphering scheme uti- 
lizing an M-ry bases system that was implemented for 
data encryption 0, 0. Ref. introduces the M-ry 
scheme and presents its first prototype-level implemen- 
tation. Ref. gives a more complete description of 
these systems. Basically, in these cryptographic proto- 
types, known as arj {a standing for coherence and 77 for 
efficiency) systems, the quantum noise inherent to co- 
herent states forces different measurement results for the 
eavesdropper and the legitimate users that use a shared 
key in their measurements. This noise will increase the 
observational uncertainty preponderantly for the eaves- 
dropper, Eve (E), rather than Alice (A) and Bob (B), the 
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legitimate users. Although this noise is irreducible by na- 
ture to all observers, the knowledge of the key allows A 
and B to discard this noise while it points to the correct 
information. The very simple idea behind this is that, 
for each bit, the noise inherent to the stated and gener- 
ated at the emitter is distributed without control among 
the output ports in Eve's measurement apparatus while 
A and B use the key to select a single output port where 
the noise does not practically affect bit readings. 

In this work a key distribution method is presented 
that also utilizes an M-ry bases ciphering scheme similar 
to the one described in for the purpose of data en- 
cryption. Each basis in the M-ry set of bases defines two 
orthogonal states whereas these bases are non- orthogonal 
among themselves ■ In these schemes a starting shared 
secret key is assumed between A and B. The phrase "key 
distribution" is being used here to denote that one party 
sends to the other random bits created by a truly ran- 
dom physical process. The exchange of random bits be- 
tween A and B is done in such a way that the quantum 
noise of the light does not allow E to obtain the final 
random sequence shared by A and B. In contrast, a clas- 
sical key expansion method could mean a process to gen- 
erate mathematically -e.g., by one-way functions- two 
identical sets of random bits, one for each user, from a 
set of shared starting bits. Stream-ciphers, for example, 
generate a stream of pseudo-random bits from a start- 
ing key. However, this deterministic process produces 
correlations that can be detected by the eavesdropper. 
Known-plaintext attacks are particularly useful to ex- 
ploit these correlations in classical cryptography. In the 
M-ry data encryption scheme, a stream cipher is used to 
generate the running key and the quantum noise of light 
protects against the correlations. 

The key distribution method presented in this work 
uses physical sources to guarantee the true randomness 
of signals. As in the data encryption scheme, the quan- 
tum noise of light provides the ultimate basic protection 
against signal identification. After presenting a set of ba- 
sic conditions to be obeyed by the system and the phys- 
ical resources needed for A and B, the key distribution 
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protocol will be described step-by-step. Each step will 
be followed by a brief description of its possible imple- 
mentation using the described physical resources. Very 
briefly, these protocol steps describe how A and B suc- 
ceed in sending new random sequences of bits from one 
to the other securely through judicious use of the quan- 
tum noise of light. This security is achieved by using a 
correct combination of average number of photons per 
bit and number of ciphering bases M, as will be shown. 
The bit encoding mechanism and the associated physical 
protection will then be discussed and a measure of the 
minimum probability of error forced by the system on 
the eavesdropper will be achieved. After showing that 
the system obeys the established conditions, conclusions 
will be presented. 
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FIG. 1: Basic scheme for key distribution. An emitter-to- 
receiver part is shown. OM is an optical modulator. PhRG 
is a physical random generator, PCI is a PC controlled inter- 
face card. Ko is the starting running key. Y(R, Ko) is the 
ciphered R. A polarization beam splitter PBS followed by 
two detectors constitute the detection system in the case of 
polarized signals. In the case of phase modulation, a phase 
sensitive detection system should be used. 



BASIC CONDITIONS 

First, a set of conditions will be defined to specify the 
boundaries within which the problem has to be solved: 

I) The eavesdropper is allowed to have full access to the 
random signal sequence being generated. Granting full 
access to the signal should be understood as similar to 
an opaque attack or, giving Eve a perfect quantum copy 
of the signal sequence. Anyway, Eve does not need to 
subtly tap the channel to obtain the signals. Eve could 
perform arbitrary measurements on this sequence or 
she could generate as many realistic (imperfect) copies 
as she wants. The unrestricted access to the signal 
sequence is the best (idealized) possible condition given 
to the eavesdropper. 

II) Eve samples all signals near the source, such that 
energy loss does not affect her data. 

It will be initially assumed that all parties have similar 
detectors; the simplest possible assumption would be of 
noiseless detectors with efficiency 1. However, it will be 
shown that although the eavesdropper needs high signal 
resolution to distinguish between two closest bases in the 
M-ry system and precision to identify a sent basis, the le- 
gitimate users do not need such strict conditions. There- 
fore, the detectors used by A and B can be less efficient. 
It will be demonstrated how one can implement a secure 
key distribution system where the minimum bit-by-bit 
eavesdropping probability of error can be arbitrarily set 
at the pure guessing value of 1/2. 

As will be shown, the protection of this scheme does 
not rely on an intrusion detection mechanism, but instead 
on the measurement advantage enjoyed by A and B over 
the eavesdropper, thanks to the knowledge of the key. 



THE KEY DISTRIBUTION PROTOCOL 

Basic physical resources 

The basic resources necessary for implementation of 
this key distribution protocol are sketched in Fig. ^ 
Two stations, A and B, are represented where the op- 
tical channel can be either free space or a fiber channel. 
Both sides have identical resources to operate as emitter 
or receiver 0. The OM's are optical modulator systems 
performing polarization or phase modulation on meso- 
scopic coherent pulses of light. Each party also possesses 
a fast speed physical random generator (PhRG) that pro- 
duces binary outputs R. PCI is a PC controlled interface 
card that can generate M voltage levels. PBS is a po- 
larizing beam splitter that is followed by two detectors 
designated by and 1. This detection system can be used 
for polarized light signals. In the case of phase modula- 
tion the detection system should be modified accordingly. 

The protocol 

Each of the seven protocol steps will be stated briefiy 
(in italics) and for a more complete illustration of the 
scheme, a short description of one possible way to imple- 
ment each step will follow: 

1. Parties A and B share an initial secret random se- 
quence ( of length Lq ) of bits Kg . 

How A and B will share this initial sequence is, of course, 
an important matter. Although current cryptography 
can provide enough security for sharing the short se- 
quence Kq at this moment, it may be vulnerable to the 
evolution of computational power. Just as an example, 
Kq could be obtained in a secure way within a few years 
through the slow but proved secure BB84 key distribu- 
tion system. The use of satellites to distribute quantum 
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keys have been under study (See Ref. |9| and references 
therein) and developments in this direction can be ex- 
pected to produce fruits in a near future. Unless proved 
otherwise, the expected rates of this quantum key distri- 
bution will be low. The scheme studied in this paper aims 
to create a fast distribution rate once a short sequence 
Kq have been obtained - even through a slow process. 

2. Party A generates a sequence (of length Lq) of true 
random bits R. 

This sequence of bits R can be obtained from the bi- 
nary output of the physical random generator (PhRG) 
as voltages Vr ~ V+ or V- that are going to be associ- 
ated with bits and 1. A possible visualization of such a 
process could be the voltage outputs Vi (i = 1,2,---) 
within a short time window At, around ti, produced 
by a fast light detector, shot-noise limited, illuminated 
by a coherent light beam. The sign of these pulses, 
sigrii = iVi — Vi)/{\Vi — Vi\), where Vi is the average pulse 
voltage, will feed a binary voltage source to provide the 
random bit sequence R |lfll |. 

3. A sends to B the random sequence R (= Ri) of 
length Lq in blocks of size Km- Ciphering each of these 
blocks uses Km bits from Kq. The number of blocks to 
be ciphered in Lq is Lq/Km- A coherent state carrier is 
used with intensity (n) / bit. 

In order to generate each cipher basis k{= 0, 1, • • • M — 1), 
Km (= log2 M) bits are used from the random sequence 
of bits Ko (e.g, k = biKM)2^^-^ + &(^m-i)2*^-2 + 
• • ■b{Ki)2^). In other words, each k basis of the M = 
2^A/ ggi; Tff^w randomly defined by Km bits taken from 
Kq. Each k will be used to cipher a block sequence of size 
Km from Ri . Ciphering Ri in blocks of size Km keeps 
the length of the transmitted bits constant and equal to 
Lo (See 

From the experimental point of view, the signals pro- 
vided by the PhRG and by the running key (Kq) define 
voltage levels to be applied by the PCI to the optical 
modulator CM. Each voltage Vk generated is associated 
with a specific basis of the M-ry scheme. The pulsed 
mesoscopic coherent state at the input (see Fig. can 
be seen as a linearly polarized state of light. Orthogonal 
polarizations define bits or 1. The input pulse is modi- 
fied by the action of the CM into a state (e.g., elliptically 
polarized light) Y(R, Kq) that is sent to B. Without the 
modulation given by Vk the output signal would show the 
sequence R of orthogonally linearly polarized states (bits 
and 1) on a single basis. The Vk modulation converts 
these signals to a non-orthogonal set of M-ry states. A 
similar line of reasoning applies to phase modulated sig- 
nals, where phases and tt provide the two bits. 

4. By knowing the sequence of bits Kq, Bob demodu- 
lates the received sequence obtaining Ri. 

At the receiving station, by applying the shared key Kg 
Bob demodulates the changes introduced by A and reads 
the resulting true random stream Ri of orthogonally po- 
larized light states. A and B now share a fresh sequence 



of random bits Ri. 

5. Bob obtains a fresh random sequence R2 from his 
PhRG and sends it to A, ciphering the sequence in blocks 
of size Km- Ciphering bits are taken from the earlier 
sequence received Ri. 

Each sequence of bits, of length Km, from Ri define the 
ciphering basis for Km fresh bits in R2. By knowing Ri, 
A reads R2 with perfection. The first cycle is complete. 

6. A and B continue to exchange random sequences as 
described in the first cycle. 

Subsequent cycles can be performed and in each cycle, 
blocks of size Km are ciphered to keep the total length 
in each cycle constant and equal to Lq. A and B can 
then share sequences of random bits obtained from the 
PhRGs. A shared random sequence can be used to re- 
start a cycle by A or B whenever an interruption occurs. 

7. A and B apply information reconciliation and pri- 
vacy amplification to distill a final sequence of bits. 
The process of privacy amplification discards bits in the 
sequence and, consequently, destroys the short-ranged 
bit-cipher correlations due to the block ciphering. As 
the PhRGs present no bit correlation, the final shared 
random sequence will present a similar statistical prop- 
erty. 

These steps describe the protocol without discussing 
security aspects. However, being a physical protocol, 
it would be incomplete without specifying (n) and M. 
These parameters have to be provided, under the initial 
conditions presented, and a quantitative measure of the 
security level associated with them has to be derived. 
This is the subject of the following sections. 

BIT ENCODING AND THE PHYSICAL 
PROTECTING MECHANISM 

The physical protecting mechanism in this case is the 
same as that on which the arj systems are based. Al- 
though it has already been described, with examples, in 
Ref. , it will be presented here and discussed to clarify 
the security provided by the quantum noise of light to this 
key distribution system. A bit-by-bit proof 0, based on a 
Positive Operator Valued Measured theory (POVM), will 
follow. The choice of a POVM demonstration relies on 
its generality once the wave function or the density ma- 
trix that represents the physical process is chosen. The 
resulting analysis carries the information content in the 
density matrix and has broad validity. This is particu- 
larly useful because the eavesdropper should be allowed 
to use any technology or attack (beam-splitter, cloning, 
homodyne measurements and so on) and a general pro- 
tection cannot be based on particular threat models. 

The security analysis to be presented covers both po- 
larization and phase modulation of optical signals. In 
the case of free-space implementation, the coherent states 
defining each bit are two orthogonal modes of polariza- 
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FIG. 2: Ciphering wheels for phase angles <j)k- Cases M — 1 
to M = 5 are shown for a given bit. Each k value specifies 
a two-state basis (0, 1) where component states are separated 
by A<p = n. 



tion. In the phase ciphering, two modes separated by a 
phase of tt could be used. In the polarization case the 
running key specifies a polarization basis from a set of 
M uniformly spaced two-mode bases spanning a great 
circle on the Poincare sphere. Fig. |21 sketches the M- 
ry ciphering protocol as implemented in the ar] systems 
la, |y| where closest bits are mostly distinct from each 
other. In this key distribution scheme, the same M-ry 
scheme is utilized. Each basis represents a polarization 
state and its antipodal state at an angle tt from it (bits 
and 1). The mapping of the stream of bits onto points 
of the Poincare sphere is the key to be shared by A and 
B. It points precisely to the basis being used at each bit 
emission. Each fc-basis is defined by the Poincare an- 
gles Qk and ■ The number of bases M chosen should 
be such that the uncertainties caused by the quantum 
noise of light on the polarization angles leads to a large 
error. This can be understood in a variety of ways; for 
example, by directly writing the manifold of two-state 
{\^{Qki^k))} bases in Cartesian {x,y) coordinates fixed 
at the OM physical axes (chosen at 45" from the hori- 
zontal) gives 



|*(efc, $fe)) ^ |a7(efc, $fc))x ® laSiSk, 'S>k))y , (1) 

where a is the coherent amplitude and 7 and 6 are the 
projections on x and y. 



7 = 



(1 - 2)e**^/2 cos(efc/2) + (1 + i)e~**'=/2 sin(efe/2)' 



S = \{1 + Oe''**"/' cos(efe/2) + (1 - i)e-"^''/^ sin(efc/2)' 

For example, on a great circle set by Qk = Qp = Qq, the 
overlap (*(9a;, $fc)l*(0p7 *p)) between states k {^k = 



fjk) and p ($p = fjp) gives 



!(*($, )!*($,) 



-2{n) [1 



(2) 



This will define the polarization angle uncertainty pro- 
duced by the shot noise associated with the coherent 
states. For large (n) the periodic functions in Eq. (0) 
can be expanded around $p, as ~ <^p + A$, giving 
\{^{Qk.'^k)\^{Qr>,%))? ^ exp[-A$V(2a2)]. ^ 
1 / (71) is the uncertainty associated with the Poincare' 
angle. This uncertainty is directly associated with light's 
shot noise and cannot be overcome regardless of one's 



precision capabilities. Without knowing the precise ba- 
sis sent (or angle), E cannot obtain the bit that is sent. 
Her measurement of the polarization angle becomes un- 
certain by the uncorrelated noise 0, in the two axes 
( {nin2) = {ni){n2) ). It will be shown that this noise 
can be used judiciously to prevent an eavesdropper from 
accessing the information while the legitimate receiver 
B can control it. This access is given by the knowledge 
of the key: the legitimate receiver projects the received 
signal completely onto one of the physical axes of the re- 
ceiving system (e.g. the PBS in Fig. and this way 
the associated noise becomes irrelevant to his binary de- 
termination (See Refs. 0, Q for experimental results). 
Receiver B can even support moderate misalignments of 
his bases system because whenever most of the light falls 
into one of his detectors this would indicate the correct 
bit. In contrast, for Eve, apart from the uncertainty 
caused by the noise, even a small misalignment will give 
her an incorrect basis. Furthermore, her measurement 
system needs high resolution and precision to obtain re- 
liable data for analysis. The number of bases N^, within 
a is = Ma/iT = M/(7r^/(n)). The system should 
be designed, as it will be shown, such that covers a 
reasonable number of adjacent bases. 

Phase modulation of the signals can be utilized by cre- 
ating two pulses delayed by a fixed amount of time and 
introducing a phase difference (j)b between them to rep- 
resent bits or 1 (e.g., (j)b = and tt). An extra phase 
difference 4'k is provided by the Km shared bits. At the 
receiver, these pulses can be made to interfere and by 
subtracting the phase 0^, B can recover each random 
bit sent. Formally, this phase encoding could be writ- 
ten starting from a coherent state |a) that is split into 
a two-mode coherent state |5'o) = \a/V^)i (g) \a/\/2)2- 
Bit encoding using the two-mode state, represented by 
annihilation operators ai and 02, can be done by 

= e-'-^^^^l^o) = ® |e^''''/'^>2, (3) 

where ~ (^a\ai — 0302^ /2. This phase modulation 
can also be interpreted as a relative one, with the zero 
reference taken at one of the states . A crucial ingredi- 
ent in the security demonstration is that the modulation 
operations have to be unitary or energy conserving. In 
this way, the input energy associated to each pulse will 
have to be distributed between the two modes. Precise 
information about the energy content in each mode is 
not needed, but one is assured that all energy is being 
accounted for in the demonstration. Although losses are 
unavoidable in real systems, this condition also reflects 
the fact that technical losses are expected to decrease 
with advances in technology and so they can be consid- 
ered asymptotically negligible. Therefore, for a modu- 
lation system that is not energy conserving in principle, 
the following demonstration does not apply. 
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In the phase modulation case, one can associate an in- 
dex I/, in general, to the ciphering angle 0^ to represent 
a possible applied modulation. This index v could repre- 
sent a discrete or a continuous variable determined by a 
general distribution. In this M-ry scheme v = k. 

A ciphered bit in the two-mode state will be written 



|e-*('^'■+*■')/2a/^/2)l ® le— ■ "a 



(4) 



where (ft (= 0, tt) specifics the bit being "sent" and 
is the ciphering phase. The overlap of and l^'b^) 

leads to an equation similar to 



EAVESDROPPER'S MINIMUM PROBABILITY 
OF ERROR 

To show that this key distribution scheme is secure two 
basic points have to be demonstrated: 

1) For a fresh bit sent, the minimum probability of error 

that an eavesdropper can achieve in the bit determi- 
nation must be guaranteed to be arbitrarily close to 1/2, 

2) The use of a given random sequence 2 x Km, one time 
as a "message" and the second time as a cipher for the 
fresh random sequence, still allows one to set Pf -^1/2. 

As a starting point for the first part of the demonstra- 
tion, the density matrix p for all possible two-mode states 
resulting from ciphering a bit b is written as 



Pb 



P4>J'^b,.){'^bu\dv , 



(5) 



where L is the space spanned by ly and P^^^ describes 
a general phase distribution. The optimal POVM for 
discriminating between po and pi (or Ap = po), in 
the polarization case, was first applied in Ref [6j. 

Calling Hi and IIq (IIi -t- XIq =I) the projectors over 
eigenstates with the positive and negative eigenvalues of 
Ap, the probability of error Pf is 



Pf = TrbinoPi+PoniPo] 



(6) 



where pi and Pq are a-priori probabilities to find a state 
in pi or Po, respectively. P^ defines the minimum prob- 
ability of error that is caused by a wrong choice of bases 
by Eve when she tries to determine a bit sent. Of course, 
error levels higher than the one given by Eq. ^ can be 
found but the interest here is to find Eve's lower bound 
of error in a bit-by-bit determination. 

P{4>u=k) randomly establishes the index k associated 
with discrete phase values (f>k in the ciphering wheel 
shown in Fig[21 where adjacent bits to a given k are mostly 
distinct bits from the k bit. For this implementation 
the location of the two-state bases are given by 



k 

M 



k = 0,1,..., A/ - 1 . (7) 



For equal a-priori probabilities pi = po = 1/2, Eq. © 
reduces to 



1, 



1 



P,^ = -Trpopi + Hipo] = 2 (1 - Trpi Ap]) 



= 1(1 -2^ A,), (8) 



where Xj are the positive eigenvalues to be obtained from 



u=k=0 

Eq. can be expanded as 

oo oo 

Ap= ^ E ^P,,M){{%'\ , (10) 



q= — oo q'= — oo 



where 



Ap,,,, = -2^e-l"l Jj^i,, (|a|2) /^i^-i (|aP) x 



sin [{q' - q)7r/2] e*(9'-9)'^/2_L ^ ^^Ml'-q) ^ (n) 



fc=0 



where Ij is a Modified Bessel function. 



^E 



y/V2) 



2J 



k,9»(12) 



and \J,q)) ^\J-q)®\J + q) .(13) 



From the positive eigenvalues of Eq. pi(l . the minimum 
probability of error, Eq. 0, can be calculated. 

Eq. (jnj can be expanded in several ways, the adopted 
expansion uses the angular momentum basis \J,q)) = 
\J — q) ^ \ J + q), that is a natural basis to deal with 
angular rotations. 

Assuming that k values have uniform probability of oc- 
currence one can show that the number of a-priori prob- 
abilities for the number of occurrence of even-k or odd-fc 
lines, given M , is 



Peven-kiM) — 
Podd-k{M) = ■ 



1 - (-1)^^ +2M 
4M 

-l + (-l)^^ + 2A-/ 
4M 



(14) 



For simplicity and without loss of generality, let us adopt 
bases even in M, where Peven-kiM) = podd-k{M) = 
1/2 = pi = p2, to show numerical examples. Figure |2| 
shows the minimum probability of error as a function of 
the number of ciphering levels M. Pf goes very fast 
to the asymptotic pure-guessing limit of 1/2 as M in- 
creases. It is then shown that the minimum probability 
of error Pf —> 1/2, at a fixed average number of photons 
|ap, can be achieved by increasing the number of bases 
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FIG. 3: as a function of M for |a|^ = {n) = 1, 10, 100, 
and 1000. 



M adequately. This demonstrates that in this scheme 
an eavesdropper cannot obtain the individual bits sent, 
regardless the precision of her devices. The physical ori- 
gin causing this impossibility for Eve to obtain an angle 
(f)k and therefore the associated bit, rests in the source 
emission itself. Although a deterministic angle can be 
applied to the modulator the resulting light output is 
probabilistic in nature and in single shot measurements 
with mesoscopic states the resulting field does not carry 
this applied angle 0^ but presents a distinct (p'^, . This is a 
Nature's fact that cannot be changed regardless the mea- 
surement applied (homodyne, heterodyne, and so on). 
This completes the first part of the demonstration. 

For the second part of the demonstration, one has to 
show how repetitions of the cipher to encode the distinct 
bits generated in the random process increase the res- 
olution achievable by the eavesdropper over the signal 
sent. One should recall that cipher repetition are used 
in the block ciphering described in step 3 of the proto- 
col. As discussed in , these repetitions arc not neces- 
sary because the ciphering procedure can be randomized 
bit-by-bit through use of a stream cipher using the Km 
sequences as seed keys. 

One could ignore this perfectly possible randomiza- 
tion an calculate a much more drastic case, one where 
both cipher and bit were repeated r-times. This can 
be seen as an overestimated upper bound for the ac- 
tual situation because each random bit sent is a fresh 
bit in the sequence being sent. As photon numbers 
in distinct coherent pulses of same amplitude fluctu- 
ates in an uncorrelated way, in r-repetitions of a sig- 
nal the resolution achieved for extraction of this sig- 
nal increases with the number of repetitions. This is 
quantitatively obtained from the r-product of Eq. ||2J): 
P(r; k\p) = P{k\p)'^'- ~ exp [-rA^^ /{2a^)] . This Gaus- 
sian process gives the standard deviation cr' = cr/^/r as- 
sociated with the angle uncertainty in a measurement 
process. This uncertainty a' is equivalent to the one ob- 
tained from a single shot measurement with the photon 
number r{n). In other words, a single shot using r-times 



the laser power will give the same signal resolution for a 
bit reading as the r-repeated sequence with (n). Conse- 
quently, for a fixed M, the r— repetition of the random 
sequence then reduces from P^{{n)) to Pf{r{n)). 
The dependence of Pf can be calculated as a function of 
(n) and M for arbitrary numbers. Therefore, the system 
can be designed to a desired security level P^ , through 
the correct choice of (n) and M. As a numerical example 
consider, say, M = 32 (or Km = 5 bits) with (n) = 100 
to achieve Pf = 0.476 m a smg le shot (see Fig. ^. To 
guarantee the same security level {Pf = 0.476), due to 
the r ~ 2x Km ~ 10 repetitions, one should use M = 90 
{Km ~ 7) corresponding to (n) = 10 x 100 = 1000. The 
conclusion is general regardless of the specific numerical 
example. Proper scaling can be done for other intensity 
levels adequate for the sensitivity of the detection sys- 
tem. Although this is an overestimated calculation it is 
adequate for our purposes to show that the protection 
level can be increased according it is needed. The alter- 
nate encryption described in [llj reduces this overhead 
substantially because each level used to cipher each bit 
is close to have occurred in a truly random. 

It has been shown that the transmission stages A^B 
and B— s-A can be made secure under individual bit at- 
tacks. The quantity Pf can be connected to the bit- 
error-rate probability and entropy measurements such as 
mutual information or relative entropy, can be directly 
derived from it. 

The following section discusses some aspects of attacks 
on this scheme. As there are no ciphertext or known- 
plaintext involved in the transmission of random bits, 
attacks on the transmitted random sequences to obtain 
the key Kq have to start considering a guessing proba- 
bility of 1/2 for each bit or 1/2^" for any complete se- 
quence sent. Considering that for each new bit sent the 
random noise may produces ~ No- possible outcomes in 
a measurement process, the number of possibilities to 
be considered grows exponentially depending on Lq and 
N^l- This indicates that an unsurmountable computa- 
tional problem would occur for a large number of bits 
sent. 



EVE'S RECORD, CORRELATIONS AND 
DRAWBACKS 

Next, one has to show that the security level calculated 
also holds under the basic conditions already defined: I) 
The eavesdropper is allowed to have full access to the 
random signal sequence being generated. II) She would 
work near the source to avoid signal losses. 
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Bit-cipher block correlations 

In general, any degree of correlation in a bit sequence 
can be explored by Eve to decrease her degree of un- 
certainty. While use of true random numbers eliminate 
intrinsic correlations in the generation process the 
block cipher utilized introduces a short range bit-cipher 
correlation. The increased number of levels M utilized 
was aimed to increase Eve's bit-by-bit probability of er- 
ror to the guessing levels even under the block cipher- 
ing used. Although Eve cannot obtain the random bits 
sent from the measured signals one may argue that some 
correlation may be detected due to the bit-cipher corre- 
lation. As one can see from the given numerical exam- 
ples, the condition N^r > Km can be easily applied to 
the communication scheme with mesoscopic states. This 
condition assures that the uncertainty produced by the 
noise overcomes the amount of knowledge associated to 
these correlations. In a linear algebraic system it corre- 
sponds to a number of unknowns larger than the number 
of available equations. Nevertheless, information recon- 
ciliation and privacy amplification [l^l distill a random 
sequence about which Eve has a negligible amount of in- 
formation and also has the additional effect of destroying 
the short bit-cipher correlations. Basically, the fact that 
the information known by the legitimate parties differs 
from that obtained by the eavesdropper is what allows A 
and B to achieve the secrecy goal. 



Homodyne and delay line 

Homodyne and heterodyne techniques can be also uti- 
lized by Eve to obtain the signals with better precision 
than a direct detection measurement. With knowledge of 
the key sequence Bob and Alice always utilize the proper 
quantum measurement basis for their optimal binary de- 
tection, assuring a resolution superior to the one obtained 
by Eve. In principle, if the seed key is available to Eve, 
after her records were created, she could apply rotations 
over the recorded signals to obtain the correct sequence. 
This has to be performed in a sequential operation due to 
the lack of structure in the PhRGs generation of random 
numbers. This differs from performing a mathematical 
operation with a deterministic function to obtain a result 
Xn^i given x„, up to xq- Nevertheless, assuming that 
this inversion is possible in principle, Eve could obtain 
the random sequence once the starting key is available 
This will be equivalent to a futuristic optical delay 
line that could be tapped on demand and Eve could wait 
as long as necessary until the shared starting key is made 
available to her and only then perform her measurements 
perfectly mimicking Bob's measurement over her copy of 
the signals. With the key, E does not need the same reso- 
lution as before and the applied rotations would lead her 
close enough to the correct axis orientation and to bit 



identification. Therefore, the shared starting key has to 
be protected at all times. This is the fundamental draw- 
back of this system 0|, although it is not important in 
the current state of technology . In essence, assuming a 
protected starting key, this method can be described as 
a one-time-pad extender. 

The futuristic delay line discussed led to the protec- 
tion of the starting key at all-times because there are no 
in-principle impediments for creation of such a device. 
One could also invoke a perfect photon number cloning 
so that Eve could obtain multiple perfect copies of each 
signal sent. Perfect copies would allow Eve to obtain 
the correct bit sequence but perfect cloning violates the 
no-cloning theorem. Realistic amplification schemes with 
linear optical amplifiers introduce spontaneous noise that 
decreases Eve's signal resolution. Imperfect cloning 
using realistic number distribution consisting of mixtures 
of stimulated and spontaneous thermal processes are akin 
to linear optical amplification and degrades signal reso- 
lution. 



Phase measurement bounds 

Even without reference to a particular setup, it is 
worth comparing the obtained numerical results with the 
bounds on phase measurements imposed by the smallest 
detectable phase shifts usually considered (See and 
references therein). They are: 1) the standard quantum 
limit (SQL), given by AipsQL ~ 2) Squeezed light 

limit (Sqz), given by A(j)sqz ~ 1/7V3/4, and 3) "Hcisen- 
berg" limit A(j)H ^ l/N. A homodyne setup to identify 
a given phase that uses, say, a squeezed field has to scan 
the phase interval of interest to probe for the best reso- 
lution region where the phase measurements lapse below 
shot noise condition. In the case of interest in this pa- 
per, each signal pulse will be set randomly in one basis 
chosen among M bases. The minimum interval between 
bases is Acjjmin = tt/M. A uniform scan on the semicir- 
cle (tt) with maximum efficiency will find the particular 
basis sent within a fraction At/)mi„/7r = 1/M of the pulse 
containing N photons. One could therefore impose the 
condition for indistinguishability of the sent phase using 
the lowest limit given by A(j)H'- 



A(t)H > A(t>„ 



(15) 



Writing Acfin to take into account the optimized fraction 
of the pulse, one has 



A(j)H = 



1 



{l/M)N ' 



and therefore 



M > 



(16) 



(17) 



This condition is satisfied under the conditions exempli- 
fied in Fig. 13 in agreement with obtained results. 
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Speed costs and other aspects 

The main cost for the security obtained in this scheme 
is the M-iy number of levels needed. An increased num- 
ber of levels demands an increased number of bits to pro- 
vide the necessary resolution and a wider dynamic range 
for the waveform generators to provide such modulations 
at high speeds. For example, in case one assumes the 
overestimated 2Km repetition this will decrease the bit 
output rate from, say, lOGHz. to 10GIIz/2Km- For a 
nonrepeatcd cipher, if one uses M = 1000 {Km ^ 10), 
and (n) = 10* the number of levels covered N^r ~ 
M/ [-KyJ {n)) ~ 3.18. To keep the same number of lev- 
els Na covered under the 2 x Km repetition, equivalent 
to a single shot with the intensity 2 x Km higher, the 
number of levels necessary is Mnew ~ 4472. This reduces 
the speed to 10GHz/2/4:m„,„ = 0.4GHz from lOGHz. Al- 
though this large increase in the number of levels is not 
necessary it emphasizes the overhead involved when 
one increases the number of levels M . 

Exploratory physical attacks by the eavesdropper, such 
as injection of a strong signal to detect the weak reflec- 
tions from the surface of the OM modulator, and from 
these to obtain the modulation applied, can be easily de- 
tected by signal splitting. Specific analysis for the physi- 
cal attacks could be applied on a case-by-case basis. The 
robustness of the signals under signal jamming by an en- 
emy, for example, may be of interest for some applica- 
tions. In this case, one could superpose on the ciphering 
levels phase and amplitude modulations and even utilize 
emission at distinct wavelengths to provide a set of con- 
ditions that the legitimate parties could use to extract 
the signals. Again, specific issues require case-by-case 
responses. These questions arc not related to the secu- 
rity aspects of interest here. In the same way, computer 
attacks and general attacks outside the optical chan- 
nel are not the focus this work. 

Signal amplification 

The presented key distribution scheme aims to defeat 
Eve's actions at the source, where no losses occurred. 
Amplification processes always degrade signal resolution 
for Eve or Bob. As Eve is already defeated at the source, 
she cannot obtain any improvement through amplifica- 
tion. On the contrary, the knowledge of the key allows 
Bob to distinguish signals as long as he has a good signal- 
to-noise ratio. Therefore, amplification is possible for the 
legitimate receivers because they need a smaller resolu- 
tion degree than Eve. It works as long as A and B can 
identify signals in orthogonal bases. A and B apply sim- 
ple binary decisions to distinguish between orthogonal 
bases while Eve, on the other hand, needs high resolu- 
tion to distinguish between adjacent levels of the M-ry 
scheme. This is why an increased noise for A and B due 



to the amplification process does not have the same ef- 
fect on Eve's measurement. With the signal protected at 
the source, noise created by amplifiers can be acceptable 
for A and B until their error bit rate exceeds a toleration 
level. 

Numerical simulations indicate that A and B can uti- 
lize amplifiers up to distances of ^ 500km before signal 
regeneration becomes necessary. These simulations con- 
sider the spontaneous decay in amplifiers onto the mode 
to be amplified as well as onto the mode orthogonal to 
the carrier. These added noise sources degrade signal 
resolution for the users and increase the bit error rate. 
Other error sources exist such as acoustic and thermal 
fluctuations but they occur in a much slower time scale. 

It is important to observe that any advantage ob- 
tained by A and B over E, at the source, leads to an 
increased communication distance for A and B. Although 
B can support losses as long as this system presents 
a low bit error rate, his superiority over Eve decreases 
and ceases at the moment where Eve can have an equal 
or larger amount of information than Bob ^3- These 
differences can be estimated by calculating Pf{0)/P^, 
where Pf{Q) is Eve's error probability at the source and 
is calculated after the amplification stages. Ideally, 
Pf{0)/P^ ^ 1- Therefore, any randomization that can 
be further introduced by Alice at the source amplify- 
ing Eve's uncertainty will refiect as an increased range 
for secure communication |l7l |. Randomization can be 
increased by several means; however, increasing the ran- 
domization level usually has a cost associated to the pro- 
cess that has to be weighted with respect to the gain to 
be achieved. 

Summarizing, signal amplification is essential for In- 
ternet and this key distribution scheme can be tailored 
for some of these applications. 

MUTUAL INFORMATION 

The concept of mutual information I{X : Y{X)), con- 
cerning the amount of information on X giving the ob- 
servable Y, allows one to extract basic information on this 
key distribution system. The minimum probability of er- 
ror for Eve, bit-by-bit, derived in Eq. (jSj), Pf , gives the 
bit-error-rate for Eve in the binary entropy H{R\Ye{R)). 
The mutual information Ie{R : YeiR)) = H{R) - 
HiR\Y,iR)) = 1 + Pf log, Pf + (1 - Pf ) log2(l - ) 
describes the amount of information Eve could obtain in 
a bit-by-bit attack on R. Fig. 0]shows this dependence as 
a function of M and some values of (n). H{R) = 1/per 
bit (or Lq for a perfect random stream of length Lq). 
Although an individual bit-by-bit attack is only a lim- 
ited attack from Eve it shows the increasingly difficulty 
the attacker finds as a function of the variables used. 

The presented key distribution process intends to per- 
form a distribution between two users of a fresh sequence 
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FIG. 4: Ie{R : Ye{R) as a function of M for jap = (n> = 
1, 10, 100, and 1000. 

of random numbers generated by one or more PhRG's. 
While the final shared sequence is truly random, as it was 
thoroughly discussed, each sequence was obtained using 
the former sequence to cipher it. The whole process was 
then dependent on the secrecy of the fist key sequence 
A'o (of length Lq). As long as one chain in the sequence 
is not compromised, the whole sequence results secure. 
In other words, although A and B may share an arbi- 
trarily long sequence of random numbers, the security of 
the process relies in a single element of the chain. This 
is distinct from processes described as fresh key genera- 
tion in the conventional nomenclature where one aims to 
create keys that are unconditionally secure even after the 
starting key is compromised. This goal has not yet been 
achieved outside from sin gle p hoton protocols and it is a 
constant matter of study [Tg . 

This intuitive dependence of the security of the chained 
sequence of keys on a single element of the chain can 
be formalized as follows. Using the definition of mutual 
information utilized above, 

I{R:Y{R))^H{R)-H{R\Y{R)), (18) 

and writing the difference between the mutual informa- 
tions between B and E at each cycle of length Lq : 

AI = Ib- Ie 

= [H{R) - H{R\Yb{R))] - [H{R) - H{R\Ye{R))] 
= H{R\Ye{R)) - H{R\Yb{R)) . (19) 

From the fact that, at best, H{R\Yb{R)) = and 
H{R\Ye{R)) = Lo in the first cycle, one sees that 
AI < Lq, what shows that the uncertainty may be kept 
at the first sequence Lq with a level given by Lq itself. 
The conditions that Bob reads without errors the ran- 
dom numbers sent {H{R\Yb{R)) = 0) in a sequence of 
length Lq and that the secrecy of the shared key for 
Eve is perfect {H{R\Ye{R)) = Lq) are basic and rea- 
sonable assumptions. To complete the derivation, one 
may write the chaining rule [l^ H{Li,L2, ■ ■ ■ , L„\Ye) = 
X]r=i ^ii ■ ■ ■ 7 Li-i) to sec that 

H{Li,L2,---,L^,---\Ye) = 



H{L,\Ye) + H{L2\Ye, Li) + H{L3\Ye, Li^L^) + • -(^O) 

One can see from this rule that in the first round where 
Li (or {Ri, • • • TLkm}) is ciphered with Kq, unknown to 
Eve, Eve's entropy knowing Ye is H{Li\Ye) = Kq, as 
long as no information on Kq is leaked to her. However, 
in case Eve knows Li and Ye she could know L2, that 
is to say H{L2\Ye, Li) = because this provides her 
with the same information that Bob has, and so on with 
the subsequent terms. Therefore A/ ~ Kq or, in other 
words. Eve's uncertainty is Kq (length Lq). In case Eve 
is unable to obtain Li, L2 ■ ■ • this result does not apply, 
of course, and Eve's knowledge on the whole sequence 
of transmitted random numbers is null. This analysis 
stands for any length Lq, that has to be tailored accord- 
ing one needs. For Lq ~ 10^, as an example, implies 
that to break the sequence Eve has to order correctly 10^ 
bits, what gives her a probability for success of 1/(210 ). 
Privacy amplification steps further decreases as well 
as destroys short range correlations in original random 
streams. Even periodic replacements of the starting keys 
can be introduced and the whole process can be tailored 
to any advances in computational capabilities. 



Quantum noise 

One should understand that the inherent quantum 
noise in the system sometimes invalidates conventional 
techniques one could use in a noiseless system. For ex- 
ample, in the case of a classical M-ry ciphering, or ci- 
phering with intense coherent signals, Alice could send 
repeatedly a given bit r to Bob fixed in any basis of 
the Af-ry detection system. Bob measures successively 
ri = r, r2 = r, r^ = r, ■ ■ ■ . The following properties then 
holds: 1) Any pair of r obeys r r = 0. Therefore, 2) If 
a message bit x is ciphered as y = a; ® r by Alice, Bob 
is able to recover x using any obtained r by performing 
y ® r = X. This holds because r is obtained noiseless 
and, therefore, ?- ® r = . Classical one-time pad ap- 
plications are "noiseless" . Quite distinctly, when using 
a mesoscopic coherent state, a repeatedly sent bit r will 
be read by a receiver that does not know the basis to be 
used, as ri = r -|- Ai, r2 = r + A2, where Aj express 
the effect of the noise in the channel. In this case, 1) Any 
pair of r obeys rj = Ai + A2 instead of r © r = 
; 2) If a message bit x is ciphered as y = {x ® r)i by 
Alice and Bob has rj , he obtains y (B rj = a: -I- A^ -I- Aj 
instead of x. This only stresses that the knowledge of the 
bases used to transmit the random sequences or keys is a 
crucial step for this key distribution system. One should 
realize that the channel noise, inherent to the light field, 
has its source at the emitter itself, ignoring all technical 
noises eventually present. 
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CONCLUSIONS 

It has been demonstrated that a fast key distribution 
scheme between two stations can be implemented where 
the practical physical limitations are set by the speed of 
the electro-optic modulators and acquisition electronics 
available through current technology. A secure random 
sequence obtained can be utilized in "Vernam's onc-timc- 
pad" sense, for applications that demand unconditional 
security. Fundamentally, the system allows for signal am- 
plification, as in the ar] systems. The system works as 
long as the receiver has a good signal-to-noise ratio after 
the last amplification stage and the occurred losses do 
not give him an information level worst than Eve's. The 
possibility of amplification paves the way for long dis- 
tance key-distribution protocols protected by the quan- 
tum noise of light, offering a practical advantage over 
single-photon protocols. 
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